454 Comments

RFID Protocol CryptanalysisAfter your edit, it's no longer clear what the actual scheme you're asking about is. You should either revert your question to its original state, or rewrite it to clearly describe the one specific scheme (or family of schemes) that you're interested in analyzing. If you wish to ask about a family of schemes, please try to limit the variation as much as possible, preferably to a small finite number of variants and/or a few adjustable numeric parameters like key length. Do not include parameters like "where $F$ is any function"; nobody can analyze a scheme at that level of generality.

Apr14

comment

RFID Protocol CryptanalysisXORing all the keys actually makes is worse: as soon as an attacker intercepts one $(k_i,r_i)$ pair, they can compute $k_{i+1} = k_i \oplus r_i$ and so impersonate the tag as many times as they want. Edit: The same holds also for $k_{i+1} = F(k_i)$, if anybody can compute $F$. If $F$ is secret (say, encryption with a secret key) then the first attack I describe won't apply, but the second may.

KDFs for symmetric encryption master key & serial numberThe length of the "info" parameter does not matter; it just needs to be unique for each derived key. Or, to put it the other way around, if you feed the same PRK and info parameters to HKDF-Expand, you get the same key out. As for using separate keys for encryption and authentication, many authenticated encryption schemes (including, notably, those based on generic composition of a cipher and a MAC) require it, for their security proofs to be valid.

Any efficient text-based steganographic schemes?Hi, Manish, and welcome to Crypto Stack Exchange. I took a quick look at your scheme, and it looks pretty clever. On the other hand (and with no fault on your part implied), your answer did make me start to wonder if this question might not be a bit too broad for a Q&A site like this one; while your project seems interesting enough, we'd really rather not see dozens of other people following your example and also coming here to post links to their own steganography tools. Thus, I've decided to vote to close this question; we'll see if other people here agree.

How can I do a brute force (ciphertext only) attack on an CBC-encrypted message?@RenéG: If there are only $2^{24}$ possible keys, as in the question above, the it's very unlikely that any of those keys would, just by chance, decrypt an 11-byte ciphertext to "black white". (The details depend on the cipher, but for, say, a modern additive stream cipher, the probability of this happening is about one in $2^{64}$, or about one in 18 quintillion (= billion billion).) Indeed, since there are far fewer than $2^{64}$ 11-character combinations of English words, it's extremely unlikely that a wrong key would decrypt your ciphertext to anything that looks like English.

Mar21

comment

Is it safe to prefix the a key with a known value?@CodesInChaos: I would. HMAC does have its quirks (like the ability to easily construct equivalent keys of different length), but it's still a secure MAC with keys of any length (even if the nominal security level is capped by the hash output length), as long as they have enough entropy to resist brute force attacks. (That said, if you're using multiple HMAC keys derived from each other, you should probably ensure that they're all the same length, or otherwise that they cannot be equivalent. Using a proper KDF to derive your keys from a single master key is generally enough.)

Beginner question about secure communication with one user using DESIs that really the exact question asked? I suppose the users could implement a Diffie-Hellman key exchange, if that's allowed, and then derive a DES (or better yet, triple-DES) key from the DH result. But without some kind of a prior shared secret (or asymmetric key pair), there's no way for the users to know they're talking with each other, and not with some middle-man.